How to Test Your Crisis Preparedness Plan
Crises will inevitably take people, organizations, and security professionals by surprise, but they don’t need to catch you unprepared.
Sometimes corporate leaders will spend too much time in the boardroom debating what to do about a crisis, delaying critical responses. Having a plan in place enables strategic decisions to be made in the moment, backed up with previously earned buy-in, resources, and outside skill sets, says Rob Currie, owner and founder of RCAS and chair of the ASIS Crisis Management and Business Continuity (CMBC) Community steering committee.
Check out this guide to help you assess your school’s safety readiness for the upcoming year.
But no plan is perfect, and the best way to find the gaps in your crisis preparedness is to put it through its paces. That does not mean you should produce impractical scenarios—the more realistic, the better. Bringing in outside experts or consultants can often help frame exercises that would provide the most insights into a program, Currie adds.
Crawl. Walk. Run.
Your first test of a new crisis management program or protocol should not be a full-size exercise in the field, warns Ernest DelBuono, principal of DelBuono & Co and a member of the CMBC steering committee. Instead, follow a crawl, walk, run model—slowly increasing complexity and goals for each successive exercise.
Your first step should likely be a tabletop exercise. These are more often planning or validation sessions, walking through the crisis management plan as written and familiarizing the key players with their responsibilities during an incident. This is more of a facilitated discussion, and it skips simulations in favor of fact-finding.
Moving ahead with drills, start adding in simulation, playing different roles, and calling in changes to the scenario mid-exercise. This starts to test participants’ ability to change tactics on the fly while still guarding the organization’s strategic goals.
Finally, your organization can undertake a full-blown exercise. This can involve multiple levels or regions of the organization. If you are testing a large-scale crisis plan, devote the time for a longer exercise and plan resources around that. If you are hosting a 42-hour worldwide drill about a major disaster, factor in time to give key players nap breaks—just like you would in a real crisis.
Do not aim for a rosy, clean ending to the exercise though—the job of a tabletop exercise is not to solve a problem, DelBuono says, and there are no right or wrong answers at the end of the day.
“There is no end to these,” he says. “The end is the list we have on the electronic flipchart that tells us what we have to do next.”
Find out your top seven security news stories, delivered to your inbox weekly, and powered by ASIS International.
Ready to start testing your crisis preparedness plan? Consider these scenarios and strategies:
Review past after-action reports. If you find that crisis management teams are repeatedly making the same mistakes, it’s time to design exercises specific to those problems to help teams learn key lessons.
Take leaders out of the equation. A severe weather event hit a key organization site, but the senior leadership team is on a cross-continental flight and cannot be reached. This leaves crisis response—at least temporarily—to second-level leaders. This tests whether leaders have the confidence to delegate emergency responsibilities down the chain, and whether those secondary leaders are equipped to step up.
Consider alternative scenarios. Never assume “it can never happen here,” DelBuono advises. Airlines usually have well-trained, extremely effective “go teams” who can hop on a plan, get set up at a centralized location, and start managing major crises within a matter of hours. But on 9/11, flights were grounded, and crisis teams could not get to their locations, DelBuono says. While the airlines figured out alternative methods of getting their go teams where they needed to be, they called in consultants to run crisis response as a stop-gap measure. Practicing how to work under challenging conditions or without key players—not just leadership—is a useful test.
Change the industry. Want to test crisis management processes, not who knows the business the best? Use a hypothetical business in a different sector in your emergency planning exercises to see how stakeholders can apply crisis management skills to a foreign problem set. They might be surprised how effectively the basics hold up across industries.
Focus on the business plan. Sometimes leaders get caught up in trying to show how knowledgeable they are about the business during exercises, but it distracts from the essential mission—protecting the strategic goals of the organization. In the case of an exercise exploring what a luxury cruise company would do if a ship had to be evacuated mid-ocean, it’s a waste of time for the CEO to focus on how many lifeboats are onboard (which is mandated by law already). Instead, he or she should leave those issues to operations personnel and instead lead discussions on how the loss of a ship for the next several years will affect long-term business decisions, DelBuono says.
Designed to give you the foundational knowledge and skills you need to become a more dynamic security professional, including EP specific threat and risk assessment, protective intelligence, advance planning and more.
“The scenario at the end of the day almost doesn’t matter, but we need some reality so they feel they’re playing with real Monopoly money,” Currie adds. That level of realism helps to immerse different stakeholders in the exercise so they think more broadly, revisiting how they can unite multiple business functions and crisis response protocols into one unified strategy.